Luca,
I'm on CentOS 5.6 running PF_RING rev 4565 and Snort 2.9.0.5.
Without any BPF, I can start snort fine with:
snort -v -i tru --daq-dir /usr/local/lib/daq --daq pfring -c
snort.conf
but when I add a BPF, it fails:
snort -v -i tru --daq-dir /usr/local/lib/daq --daq pfring -c
snort.conf "ip"
with this error:
ERROR: Can't start DAQ (-1) - !
Fatal Error, Quitting..
If I run the command with the BPF but switch from the pfring daq to the
pcap daq, it works.
Is there a different way I should be specifying my BPF when using the
pfring daq or is that feature not presently supported?
Also, if I try to run snort as the 'snort' user instead of the default
'root' user:
snort -v -i tru --daq-dir /usr/local/lib/daq --daq pfring -c
snort.conf -u snort
if fails like this
ERROR: Can't start DAQ (-1) - pfring_open(): unable to open device
'tru'. Please use -i <device>!
Fatal Error, Quitting..
With the pcap daq, I can specify the 'snort' user. Is it a
known/intended requirement to run snort as root when using the pfring
daq? I can work with that but I thought I'd ask since I was previously
running snort 2.8.6 as the 'snort' user with pf_ring, though no daq was
involved.
Thanks for this great tool, Luca. I am next looking forward to setting
up a cluster of snort instances on separate CPUs to inspect a 10GB link
with an Intel X520-T2 NIC. That should be fun. We simply could not
afford to approach that project if it required a multi-thousand-dollar
DAG card.
Kevin
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
